NASA's Cybersecurity Program Gets Failing Grade

The U.S. National Aeronautics and Space Administration (NASA) has again failed to implement an efficient cybersecurity program, according to a review by the NASA Office of Inspector General (OIG) for the fiscal year 2018.

Based on the analysis of NASA systems and interviews with the agency’s representatives, the OIG has assigned a Level 2 maturity rating to the organization’s cybersecurity program for a second year in a row.

Level 2 organizations have their policies, procedures and strategies formalized and documented, but they are not consistently implemented. The Office of Management and Budget requires organizations to get a rating of at least Level 4 for their cybersecurity program to be considered effective.

Auditors have identified two main areas of concern: system security plans containing missing, incomplete and inaccurate data; and failure to conduct information system control assessments in a timely manner.

“We consider the issue of missing, incomplete, and inaccurate information security plan data to be an indicator of a continuing control deficiency that we have identified in recent NASA OIG reviews,” the OIG’s report reads. “Likewise, the untimely performance of information security control assessments could indicate control deficiencies and possibly significant threats to NASA operations, which could impair the Agency’s ability to protect the confidentiality, integrity, and availability of its data, systems, and networks.”

A few months ago, NASA informed employees that their personal information, including social security numbers, may have been stolen after one of its servers had been breached. The agency claimed the incident did not impact any of its missions.

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.